Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 6 replies
  • Subscribers 45 subscribers
  • Views 2540 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Connect Client Policy Deployment - PSK in plain text?

King Tomato

Hello. The deployment instructions for the Sophos Connect Client policy result in a plain text file being created on each workstation which contains all the VPN settings including PSK. Isn't this a significant security risk?



This thread was automatically locked due to age.
  • 0

    Hi  

    Love the handle....

    Any way to answer your question, this does present a small security risk however the admin tool should only be used once to create the configuration file.  From there you can deploy it via GPO and the user will not have access to it.  You should not be creating the file on each user's machine with the admin tool.

    You can read this KBA for using GPO to push the configuration and installation:  https://community.sophos.com/kb/en-us/133555

    If you are a bit worried about using a PSK, you can use the certificate option in the Sophos Connect Client configuration on the XG.  This will then make the Sophos Connect Client configuration file similar to SSL VPN configuration file.

    If you are NOT a home user, please open a support case so that we can get this into development to change it so that its encrypted.  Please note that this will take some time to make it into an official build.

     

    Thanks!

    KingChris
    Community Support | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • 0 in reply to KingChris

    Thanks for engaging and replying.

    Per that KB article the GPO copies the .tgb file (which contains the PSK in plain text) to C:\Program Files... from which the user could browse and view it read-only even as a non-admin.

    How does opening a case about it compare to posting something in the Ideas forum? Are either realistcally likely to get this fixed?

    I was hoping for v18 to prove to be our final VPN solution but we may have to start looking elsewhere. The VPN functionality simply doesn't scale to even a modern medium-sized enterprise nor integrate with industry standard identity management/MFA solutions like Duo, Authy, etc.

  • +1 in reply to King Tomato

    Hi  

    v18 has introduced a configurable RADIUS authentication timeout to help with the integration to 3rd party MFA such as Duo.

    Sophos Connect Client does have a limitation of running a /24 subnet but that is being fixed as we speak.  In the interim I do suggest using SSL VPN or utilize the XG L2TP VPN setup.

    If you do not like the PSK in plain text then the next best would be to use a certificate/RSA key based approach or SSL VPN if you are needing more than 254 clients connected at once.

    Opening a case gives more leverage with setting the priority with product management that there is a current client who is requiring this.  Sending to the Ideas URL, will make it sit there for a while as there is no pressing need for it as if there was a case opened.

    Thanks!

    KingChris
    Community Support | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • +1 in reply to King Tomato

    Hello,

     

    "Per that KB article the GPO copies the .tgb file (which contains the PSK in plain text) to C:\Program Files... from which the user could browse and view it read-only even as a non-admin."

     

    Once the Sophos Connect Client imports a connection the connection is encrypted and is no longer accessible for the user to view the configuration file. So if the configuration file is pushed via GPO, the user would not have access to open and view the txt file 

     

    Regards,
    Ramesh

  • 0 in reply to rmk_95128

    Thanks, Ramesh. Will this also work with a .scx file after customizing the .tgb with the admin tool? The .tgh alone is insufficient since the additional policies can't be defined without running it through that tool to get the .scx.

  • 0 in reply to King Tomato

    Hello King,

     

    Yes it will work with the .scx file also.

    Ramesh

Unfiltered HTML